ietf
[Top] [All Lists]

Re: Agenda, security, and monitoring

2014-02-03 19:22:00
It's Executive Order 12333 not 12003, which is quite different.

Also, we have sources that say they do the same bulk collection with credit 
card purchase transaction metadata (WSJ reported the Thursday of the week last 
June that began the Snowden disclosures). Although that's not commsec.

Responding to and earlier email on this thread out of order (sorry Theodore), I 
think devaluing the power of metadata and traffic analysis is a bad path to 
start down on. Content often has to be further interpreted and in many cases 
context can be inferred from metadata. Matt Blaze has a great Wired opinion 
article that makes a number of very good points with respect to what one can 
learn via metadata. best, Joe

On Feb 3, 2014, at 14:56, Theodore Ts'o <tytso(_at_)mit(_dot_)edu> wrote:

On Mon, Feb 03, 2014 at 02:02:31PM -0500, Dale R. Worley wrote:

The recent news reports that I have seen are that the NSA's pervasive
monitoring focuses on "metatada", "who is talking to whom".  And the
trouble with end-to-end confidentiality mechanisms is that they do not
hide the destination address; indeed they can't.  And it seems to me
that almost no confidentiality systems have been focused on
confidentiality of message destinations.

That's what NSA is doing for telephones, and briefly using e-mail
analyzing communications between US preson under their authorities
(or claimed authorities) under section 215 of the Patriot Act.

It would be a mistake to assume this is *all* they are doing.  Indeed,
it's likely that the NSA is actually doing keyword based filtering of
content, for communications that are between non-US persons and where
the endpoints are outside of the US.  This is done under their
authorities granted to them under Executive Order 12003.

Given that the FBI wanted to drop "Carnivore" servers in US data
centers to do this kind of keyword based filtering many years ago,
it's certainly within the capabilities the US Intelligence Community.

So to the extent that non-US persons want the same level of privacy
that apparently US persons have (unless there is some other secret
court order with some other secret law interpretation we're not aware
of which is enabling the FBI to do this kind of snooping, and we just
don't know about it yet), it's not surprising people are interested in
encrypting e-mail bodies.

Encrypting the endpoint identities is a lot more difficult, since you
need to route the information somehow.  There are solutions such as
onion routing, but they ease of use isn't quite there, and I don't
think they currently would scale well if huge numbers of people were
using them.

Certainly hiding the RFC-822 headers, including the subject lines,
inside the encrypted body would certainly be a good start, but of
course that doesn't solve the issue of the SMTP envelop information.

                                        - Ted


<Prev in Thread] Current Thread [Next in Thread>